diff options
author | V3n3RiX <venerix@koprulu.sector> | 2023-12-26 01:33:45 +0000 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2023-12-26 01:33:45 +0000 |
commit | 15bb7733ddb1f16a0e3936969282ecc42419829a (patch) | |
tree | 56c720cc03bec3e9758966b4083b5916feca6962 /net-vpn/tor | |
parent | 026061ba423025e6713112920f290759cdee03c4 (diff) |
gentoo auto-resync : 26:12:2023 - 01:33:45
Diffstat (limited to 'net-vpn/tor')
-rw-r--r-- | net-vpn/tor/Manifest | 2 | ||||
-rw-r--r-- | net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch | 337 | ||||
-rw-r--r-- | net-vpn/tor/tor-0.4.7.16-r1.ebuild | 168 |
3 files changed, 507 insertions, 0 deletions
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest index 8327fff9aa95..2e07b777ef0e 100644 --- a/net-vpn/tor/Manifest +++ b/net-vpn/tor/Manifest @@ -1,6 +1,7 @@ AUX README.gentoo 316 BLAKE2B 9c962395e49a2eff8411e7fb3996d99e504b0023712151acdd6bee43755be89d52c970cbf7e5aae62c0adfb33ff7ad072578b88a40857bffb359a3d2c8571947 SHA512 6ca305c710562c0f9a3f0cba07760adf300ea166c8baa47e8872719190d779fb63d4dd6c9193fb60ddb51015138790aaa93935668423e0f861f05496d22ce660 AUX tor-0.2.7.4-torrc.sample.patch 1341 BLAKE2B c6b398d6fd417e9029196046529109ed52c7c5dd6bd38505261116e15d1516a6e200583b480fe50b6e971d2ab4336673f9e75effa9dc8d3858c6248fbe31a69b SHA512 4a6b855734717416b6615fbd76bb75a54731767a74d3ade8c58fe52f4a42ee51c93ff8d591943343f319018e18d65b768bbe8fe936200ad829ab1e262c5e9b0f AUX tor-0.4.7.13-libressl.patch 7513 BLAKE2B 99bc969d24fed1c6652b572f9a9b27121a92bac67d46409b15e6a6e9f9f8d1a09851b91101461d0c8dc1d2792f5226ef33c5697009f6e65edac7297531cdd348 SHA512 72e005b0e1b2bd62321865c07080bb6f19d0144e0ec630796e75efb645c4dccf0dc200e5ad05ecc5c4522faeb3c4c0caf72cb6462aa3736c3bd0c17a38206c54 +AUX tor-0.4.7.16-arm64-sandbox.patch 11942 BLAKE2B 761ca6ee26d0e39c90fb0713fc36ecdb3ff349e40795c0124bfa4f0a72c51430e3ce65df82386a1e8b1d531460fe910629a1c702234712f1a061a8e9f93e4b20 SHA512 127755058ca29fc92a02fef820dd7c43994debc1554a4624bd4cae05e4bc3970da594ad865555d0bb2a847a151e093383ac19f83d5fa44b94588f8fb58c09a47 AUX tor.confd 44 BLAKE2B 70df86a361c7b735283c5699e4d8d8a054a84629c749adb4dc57c196d49df4492471cb8b21dde43d668b31171ee2dfae81562a70367c72801ae60046908b022e SHA512 9028ac41e3acdf4405095addb69537e87edecafaec840296ac27a5a8992fe132dc822e4e4abb8826f76460c438da2719dea17859690d03e17198a82086a3d660 AUX tor.initd-r9 942 BLAKE2B 1008ed981e1e7040b098f5c8c509e6a5de89e94b6fa110998c50b0521b99cb80e9b793a78de3de0e0e89d56553c32f3a6566015dd2c4fd77c812577f6f637d7a SHA512 fa3a6f52dc733d27f954299cfb32fc813ef731e1d124096450f7b53f0e4fce9f41cf48b66651d1f5383c18bdca8a87d6bbe03c65dc8a5f9a58660bb8db0040a1 AUX tor.service 1050 BLAKE2B 7f6553b9f4b928f0c924d73ee6f9df8a99ee75ec1801f6b865a7d8e40ff30290bf836907b561586d0f429b7ddf05286ab51974d207906a0fe52cb2fbcc8e160f SHA512 786481b20d7cab9696656c5136ff74c9c2aaa73ca3d63b163a294b9b3c4b628da387cb5ec3ada81277ca81cff16ead5162f3b4d64cb0d773c22f2e4607c3194b @@ -19,6 +20,7 @@ DIST tor-0.4.8.10.tar.gz.sha256sum 86 BLAKE2B 1410a5e7e486c7c33b6b217a53d250bc3e DIST tor-0.4.8.10.tar.gz.sha256sum.asc 716 BLAKE2B 0154ef1defa1a8227813ef3589f1fd4215f5bd305447fec1404f7950c0b89e6d9fcb6686900e4819d0f1a635d3b08e60cdc9c96a4f74e603185afb6eb1e29279 SHA512 aaeee664c9342a6cddaacfeea6e6974ce374d746153a28943dee1db3db48a8e08f36a076856358819cae8ea2f8b7d912d0e6dc2dc772465dba3283b553f43b91 EBUILD tor-0.4.7.13-r1.ebuild 3754 BLAKE2B 7f74903deadf5f2e3c24328a5f047144e107dd48702bc6a411df3cf8b64072a6d717e2f02938d10b5aefa15d7ba43b0477f0ead8083e7a9b45622dea57722254 SHA512 b60da829bd21e4ae3bb44886cbe8dc598a68904808d356499c54618cc31418c5d35d120a527bb96a10025ffe761aaf9018f622acbb6ee1181dacd2fa6870ff6a EBUILD tor-0.4.7.14.ebuild 3913 BLAKE2B 1f2a8c13e9d82e8aaba5393570542c85e0477a769bed71e73a73379657f5425d407dee0520373959ac17ba26c02276c4363baae8ae54b0bb4fd0c1df11ae1732 SHA512 fc3e7c1f3dc339be7b0773fce16c56b92cafb437540e6f59c22f6e61268ed9522f2de9a677c49781bae3442bc741a6272643d16b10f9d6b6b9f31c6b31443fad +EBUILD tor-0.4.7.16-r1.ebuild 3891 BLAKE2B d60319499bd332009a5baa4e603589c0e074a101c33d547d6468552a8048713074360ad032cfeb7a834481ee33bc103e8f7f9e6cbf654d59ff9fa8ecb241c0c5 SHA512 8ebb315dbb9918d6fc31a221215476d1bfbe4345cb014603685256fb94e279eead88e838d757dca745b0580c8b1bb7c97e3b3a45ed37dec8128cd22f3d46078c EBUILD tor-0.4.7.16.ebuild 3848 BLAKE2B 055aedeb3699510785c8584261144648af057e861257c7aa70d212cc91f98decbafb7451c27452b5fb42f7da201c783ded2dc0c9d76ebf6ac107965efe270100 SHA512 1838b05d4e023e4e09c8e5b185cec464f2c26e8fcd48d4dc5645402667dd3afddb79a7727cc457d3c4c6b40ca2b18f8b79a9e3b8aa7c434f727ab27f9c48088d EBUILD tor-0.4.8.10.ebuild 4301 BLAKE2B 223c26c7e8b70f06dedc56f2e90b4e37e66345c0b2886c75f11fc2b31d54e1383b4ebb9ad6cf2bf94095add9914a5c55995d96c19d51896a996c69b79a5f2795 SHA512 440ee0ce19e6203c4e4195568cd2c74ef67b00ef4ae23ca43563d3cde8426e795a4e2f22f7aa64ae7bf244b96b8583854ca4fd2dc6aa36b6be235e9ebf2a8281 EBUILD tor-9999.ebuild 4301 BLAKE2B 223c26c7e8b70f06dedc56f2e90b4e37e66345c0b2886c75f11fc2b31d54e1383b4ebb9ad6cf2bf94095add9914a5c55995d96c19d51896a996c69b79a5f2795 SHA512 440ee0ce19e6203c4e4195568cd2c74ef67b00ef4ae23ca43563d3cde8426e795a4e2f22f7aa64ae7bf244b96b8583854ca4fd2dc6aa36b6be235e9ebf2a8281 diff --git a/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch new file mode 100644 index 000000000000..2b473bf981b6 --- /dev/null +++ b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch @@ -0,0 +1,337 @@ +From https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574 +Gentoo Bug: https://bugs.gentoo.org/920063 +From: Pierre Bourdon <delroth@gmail.com> +Date: Sat, 30 Apr 2022 11:52:59 +0200 +Subject: [PATCH 1/4] sandbox: fix openat filtering on AArch64 + +New glibc versions not sign-extending 32 bit negative constants seems to +not be a thing on AArch64. I suspect that this might not be the only +architecture where the sign-extensions is happening, and the correct fix +might be instead to use a proper 32 bit comparison for the first openat +parameter. For now, band-aid fix this so the sandbox can work again on +AArch64. +--- a/src/lib/sandbox/sandbox.c ++++ b/src/lib/sandbox/sandbox.c +@@ -518,7 +518,12 @@ libc_uses_openat_for_opendir(void) + static int + libc_negative_constant_needs_cast(void) + { ++#if defined(__aarch64__) && defined(__LP64__) ++ /* Existing glibc versions always sign-extend to 64 bits on AArch64. */ ++ return 0; ++#else + return is_libc_at_least(2, 27); ++#endif + } + + /** Allow a single file to be opened. If <b>use_openat</b> is true, +-- +GitLab + + +From 8fd13f7a7bfd4efc02d888ce9d10bcb6a80a03c8 Mon Sep 17 00:00:00 2001 +From: Pierre Bourdon <delroth@gmail.com> +Date: Sat, 30 Apr 2022 13:02:16 +0200 +Subject: [PATCH 2/4] sandbox: filter {chown,chmod,rename} via their *at + variant on Aarch64 + +The chown/chmod/rename syscalls have never existed on AArch64, and libc +implements the POSIX functions via the fchownat/fchmodat/renameat +syscalls instead. + +Add new filter functions for fchownat/fchmodat/renameat, not made +architecture specific since the syscalls exists everywhere else too. +However, in order to limit seccomp filter space usage, we only insert +rules for one of {chown, chown32, fchownat} depending on the +architecture (resp. {chmod, fchmodat}, {rename, renameat}). +--- a/src/lib/sandbox/sandbox.c ++++ b/src/lib/sandbox/sandbox.c +@@ -614,6 +614,32 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + return 0; + } + ++static int ++sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) ++{ ++ int rc; ++ sandbox_cfg_t *elem = NULL; ++ ++ // for each dynamic parameter filters ++ for (elem = filter; elem != NULL; elem = elem->next) { ++ smp_param_t *param = elem->param; ++ ++ if (param != NULL && param->prot == 1 && param->syscall ++ == SCMP_SYS(fchmodat)) { ++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat), ++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value)); ++ if (rc != 0) { ++ log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received " ++ "libseccomp error %d", rc); ++ return rc; ++ } ++ } ++ } ++ ++ return 0; ++} ++ + #ifdef __i386__ + static int + sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +@@ -666,6 +692,32 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + } + #endif /* defined(__i386__) */ + ++static int ++sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) ++{ ++ int rc; ++ sandbox_cfg_t *elem = NULL; ++ ++ // for each dynamic parameter filters ++ for (elem = filter; elem != NULL; elem = elem->next) { ++ smp_param_t *param = elem->param; ++ ++ if (param != NULL && param->prot == 1 && param->syscall ++ == SCMP_SYS(fchownat)) { ++ rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat), ++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value)); ++ if (rc != 0) { ++ log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received " ++ "libseccomp error %d", rc); ++ return rc; ++ } ++ } ++ } ++ ++ return 0; ++} ++ + /** + * Function responsible for setting up the rename syscall for + * the seccomp filter sandbox. +@@ -697,6 +749,39 @@ sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + return 0; + } + ++/** ++ * Function responsible for setting up the renameat syscall for ++ * the seccomp filter sandbox. ++ */ ++static int ++sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) ++{ ++ int rc; ++ sandbox_cfg_t *elem = NULL; ++ ++ // for each dynamic parameter filters ++ for (elem = filter; elem != NULL; elem = elem->next) { ++ smp_param_t *param = elem->param; ++ ++ if (param != NULL && param->prot == 1 && ++ param->syscall == SCMP_SYS(renameat)) { ++ ++ rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat), ++ SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value), ++ SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2)); ++ if (rc != 0) { ++ log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received " ++ "libseccomp error %d", rc); ++ return rc; ++ } ++ } ++ } ++ ++ return 0; ++} ++ + /** + * Function responsible for setting up the openat syscall for + * the seccomp filter sandbox. +@@ -1317,7 +1402,9 @@ static sandbox_filter_func_t filter_func[] = { + #else + sb_chown, + #endif ++ sb_fchownat, + sb_chmod, ++ sb_fchmodat, + sb_open, + sb_openat, + sb_opendir, +@@ -1325,6 +1412,7 @@ static sandbox_filter_func_t filter_func[] = { + sb_ptrace, + #endif + sb_rename, ++ sb_renameat, + #ifdef __NR_fcntl64 + sb_fcntl64, + #endif +@@ -1592,10 +1680,24 @@ new_element(int syscall, char *value) + + #ifdef __i386__ + #define SCMP_chown SCMP_SYS(chown32) ++#elif defined(__aarch64__) && defined(__LP64__) ++#define SCMP_chown SCMP_SYS(fchownat) + #else + #define SCMP_chown SCMP_SYS(chown) + #endif + ++#if defined(__aarch64__) && defined(__LP64__) ++#define SCMP_chmod SCMP_SYS(fchmodat) ++#else ++#define SCMP_chmod SCMP_SYS(chmod) ++#endif ++ ++#if defined(__aarch64__) && defined(__LP64__) ++#define SCMP_rename SCMP_SYS(renameat) ++#else ++#define SCMP_rename SCMP_SYS(rename) ++#endif ++ + #ifdef __NR_stat64 + #define SCMP_stat SCMP_SYS(stat64) + #else +@@ -1633,7 +1735,7 @@ sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file) + { + sandbox_cfg_t *elem = NULL; + +- elem = new_element(SCMP_SYS(chmod), file); ++ elem = new_element(SCMP_chmod, file); + + elem->next = *cfg; + *cfg = elem; +@@ -1659,7 +1761,7 @@ sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2) + { + sandbox_cfg_t *elem = NULL; + +- elem = new_element2(SCMP_SYS(rename), file1, file2); ++ elem = new_element2(SCMP_rename, file1, file2); + + elem->next = *cfg; + *cfg = elem; +-- +GitLab + + +From eb0749d64917fee6ff74c3810dbec8cd063f546c Mon Sep 17 00:00:00 2001 +From: Pierre Bourdon <delroth@gmail.com> +Date: Wed, 4 May 2022 07:19:40 +0200 +Subject: [PATCH 3/4] sandbox: replace SCMP_CMP_NEG with masked equality checks + +For some syscalls the kernel ABI uses 32 bit signed integers. Whether +these 32 bit integer values are sign extended or zero extended to the +native 64 bit register sizes is undefined and dependent on the {arch, +compiler, libc} being used. Instead of trying to detect which cases +zero-extend and which cases sign-extend, this commit uses a masked +equality check on the lower 32 bits of the value. +--- a/src/lib/sandbox/sandbox.c ++++ b/src/lib/sandbox/sandbox.c +@@ -141,10 +141,12 @@ static sandbox_cfg_t *filter_dynamic = NULL; + * the high bits of the value might get masked out improperly. */ + #define SCMP_CMP_MASKED(a,b,c) \ + SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c)) +-/* For negative constants, the rule to add depends on the glibc version. */ +-#define SCMP_CMP_NEG(a,op,b) (libc_negative_constant_needs_cast() ? \ +- (SCMP_CMP((a), (op), (unsigned int)(b))) : \ +- (SCMP_CMP_STR((a), (op), (b)))) ++/* Negative constants aren't consistently sign extended or zero extended. ++ * Different compilers, libc, and architectures behave differently. For cases ++ * where the kernel ABI uses a 32 bit integer, this macro can be used to ++ * mask-compare only the lower 32 bits of the value. */ ++#define SCMP_CMP_LOWER32_EQ(a,b) \ ++ SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, (unsigned int)(b)) + + /** Variable used for storing all syscall numbers that will be allowed with the + * stage 1 general Tor sandbox. +@@ -513,19 +515,6 @@ libc_uses_openat_for_opendir(void) + (is_libc_at_least(2, 15) && !is_libc_at_least(2, 22)); + } + +-/* Return true if we think we're running with a libc that needs to cast +- * negative arguments like AT_FDCWD for seccomp rules. */ +-static int +-libc_negative_constant_needs_cast(void) +-{ +-#if defined(__aarch64__) && defined(__LP64__) +- /* Existing glibc versions always sign-extend to 64 bits on AArch64. */ +- return 0; +-#else +- return is_libc_at_least(2, 27); +-#endif +-} +- + /** Allow a single file to be opened. If <b>use_openat</b> is true, + * we're using a libc that remaps all the opens into openats. */ + static int +@@ -533,7 +522,7 @@ allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file) + { + if (use_openat) { + return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), +- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD), + SCMP_CMP_STR(1, SCMP_CMP_EQ, file)); + } else { + return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), +@@ -627,7 +616,7 @@ sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + if (param != NULL && param->prot == 1 && param->syscall + == SCMP_SYS(fchmodat)) { + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat), +- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD), + SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received " +@@ -705,7 +694,7 @@ sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + if (param != NULL && param->prot == 1 && param->syscall + == SCMP_SYS(fchownat)) { + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat), +- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD), + SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received " +@@ -767,9 +756,9 @@ sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + param->syscall == SCMP_SYS(renameat)) { + + rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat), +- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD), + SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value), +- SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_LOWER32_EQ(2, AT_FDCWD), + SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received " +@@ -799,7 +788,7 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) + if (param != NULL && param->prot == 1 && param->syscall + == SCMP_SYS(openat)) { + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), +- SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD), ++ SCMP_CMP_LOWER32_EQ(0, AT_FDCWD), + SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value), + SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY| + O_CLOEXEC)); +-- +GitLab + + +From 42034ae9da2866c67ce8cb8522d6a619d8b21170 Mon Sep 17 00:00:00 2001 +From: Pierre Bourdon <delroth@gmail.com> +Date: Wed, 4 May 2022 07:31:06 +0200 +Subject: [PATCH 4/4] changes: add entry for MR !574 + +--- /dev/null ++++ b/changes/aarch64_sandbox +@@ -0,0 +1,5 @@ ++ o Minor bugfixes (sandbox): ++ - Fix sandbox support on AArch64 systems. More "*at" variants of syscalls ++ are now supported. Signed 32 bit syscall parameters are checked more ++ precisely, which should lead to lower likelihood of breakages with future ++ compiler and libc releases. Fixes bug 40599; bugfix on 0.4.4.3-alpha. +-- +GitLab + diff --git a/net-vpn/tor/tor-0.4.7.16-r1.ebuild b/net-vpn/tor/tor-0.4.7.16-r1.ebuild new file mode 100644 index 000000000000..1c40fca5fb09 --- /dev/null +++ b/net-vpn/tor/tor-0.4.7.16-r1.ebuild @@ -0,0 +1,168 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc +inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig + +MY_PV="$(ver_rs 4 -)" +MY_PF="${PN}-${MY_PV}" +DESCRIPTION="Anonymizing overlay network for TCP" +HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/" + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor" + inherit autotools git-r3 +else + SRC_URI=" + https://www.torproject.org/dist/${MY_PF}.tar.gz + https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz + verify-sig? ( + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum + https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc + ) + " + + S="${WORKDIR}/${MY_PF}" + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~ppc-macos" + fi + + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )" +fi + +LICENSE="BSD GPL-2" +SLOT="0" +IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd" +RESTRICT="!test? ( test )" + +DEPEND=" + >=dev-libs/libevent-2.1.12-r1:=[ssl] + dev-libs/openssl:=[-bindist(-)] + sys-libs/zlib + caps? ( sys-libs/libcap ) + man? ( app-text/asciidoc ) + lzma? ( app-arch/xz-utils ) + scrypt? ( app-crypt/libscrypt ) + seccomp? ( >=sys-libs/libseccomp-2.4.1 ) + systemd? ( sys-apps/systemd:= ) + zstd? ( app-arch/zstd:= ) +" +RDEPEND=" + acct-user/tor + acct-group/tor + ${DEPEND} + selinux? ( sec-policy/selinux-tor ) +" +DEPEND+=" + test? ( + ${DEPEND} + ${PYTHON_DEPS} + ) +" + +DOCS=() + +PATCHES=( + "${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch + "${FILESDIR}"/${P}-arm64-sandbox.patch +) + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_unpack() { + if [[ ${PV} == 9999 ]] ; then + git-r3_src_unpack + else + if use verify-sig; then + cd "${DISTDIR}" || die + verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc} + verify-sig_verify_unsigned_checksums \ + ${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz + cd "${WORKDIR}" || die + fi + + default + fi +} + +src_prepare() { + default + + # Running shellcheck automagically isn't useful for ebuild testing. + echo "exit 0" > scripts/maint/checkShellScripts.sh || die + + if [[ ${PV} == 9999 ]] ; then + eautoreconf + fi +} + +src_configure() { + use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING ) + + export ac_cv_lib_cap_cap_init=$(usex caps) + export tor_cv_PYTHON="${EPYTHON}" + + local myeconfargs=( + --localstatedir="${EPREFIX}/var" + --disable-all-bugs-are-fatal + --enable-system-torrc + --disable-android + --disable-coverage + --disable-html-manual + --disable-libfuzzer + --enable-missing-doc-warnings + --disable-module-dirauth + --enable-pic + --disable-restart-debugging + + $(use_enable man asciidoc) + $(use_enable man manpage) + $(use_enable lzma) + $(use_enable scrypt libscrypt) + $(use_enable seccomp) + $(use_enable server module-relay) + $(use_enable systemd) + $(use_enable tor-hardening gcc-hardening) + $(use_enable tor-hardening linker-hardening) + $(use_enable test unittests) + $(use_enable zstd) + ) + + econf "${myeconfargs[@]}" +} + +src_test() { + local skip_tests=( + # Fails in sandbox + :sandbox/open_filename + :sandbox/openat_filename + ) + + # The makefile runs these by parallel by chunking them with a script + # but that means we lose verbosity and can't skip individual tests easily + # either. + edo ./src/test/test --verbose "${skip_tests[@]}" +} + +src_install() { + default + readme.gentoo_create_doc + + newconfd "${FILESDIR}"/tor.confd tor + newinitd "${FILESDIR}"/tor.initd-r9 tor + systemd_dounit "${FILESDIR}"/tor.service + + keepdir /var/lib/tor + + fperms 750 /var/lib/tor + fowners tor:tor /var/lib/tor + + insinto /etc/tor/ + newins "${FILESDIR}"/torrc-r2 torrc +} |